                                                                             
                             The Cuckoo's egg                                
                   ------------------------------------                      
                            from Clifford Stoll                              
                                                                             
                                                                             
           Until  a  week  before,  I  had  been  an  astronomer, contentedly
        designing  telescope optics. But then I found myself transferred from
        the  Keck  Observatory at the Lawrence Berkeley Lab (LBL) down to the
        computer center in the basement of the same building.                
           On  either  side of my new cubicle were the offices of two systems
        people, Wayne Graves and Dave Cleveland, the old hands of the system.
        Together,  Wayne,  Dave, and I were to run the computers as a labwide
        utility.  We managed a dozen mainframe computers-giant workhorses for
        solving  physics  problems,  together  worth  around  $6 million. The
        scientists  using  the  computers  were  supposed  to  see  a simple,
        powerful  computing system, as reliable as the electric company. This
        meant  keeping  the machines running full-time, around the clock. And
        just  like a utility company, we charged for every cycle of computing
        that was used.                                                       
           On  my  second  day,  Dave was mumbling about a hiccup in the Unix
        accounting  system. Someone must have used a few seconds of computing
        time  without  paying  for  it.  The  computer's  books  didn't quite
        balance; last month's bills of $2,387 showed a 75-cent shortfall.    
           Now, an error of a few thousand dollars is obvious, and isn't hard
        to  find.  But  errors in the pennies column arise from deeply buried
        problems,  so  finding  these  bugs  is  a natural test for a budding
        software wizard.                                                     
           Around  about  7 p.m., my eye caught the name of one user, Hunter.
        This  guy didn't have a valid billing address. Ha] Hunter had used 75
        cents  of  time  in the past month, but nobody had paid for him. Here
        was  the source of our imbalance. Someone had screwed up while adding
        a user to our system. A trivial problem caused by a trivial error.   
           A  day  later,  an  obscure  computer  named Dockmaster sent us an
        electronic-mail message. Its system manager claimed that someone from
        our laboratory had tried to break into his computer over the weekend.
        I guessed Dockmaster was some navy shipyard. It wasn't important, but
        it seemed worth spending a few minutes looking into.                 
           The  message  gave  the  date  and  time  when someone on our Unix
        computer  tried  to  log  in to Dockmaster's computer. Our stock Unix
        accounting  file  showed a user, Sventek, logging in to our system at
        8:25,  doing  nothing  for  half  an hour, and then disconnecting. No
        time-stamped activity in between. Our homebrew software also recorded
        Sventek's  activity,  but  it showed him using the networks from 8:31
        until 9:01 a.m.                                                      
           Jeez. Another accounting problem. The timestamps didn't agree. One
        recorded activity when the other account said everything was dormant.
           Why  were  the two accounting systems keeping different times? And
        why  was  some  activity logged in one file without showing up in the
        other?  Was  this  related  to  the earlier accounting problem? Had I
        screwed things up when I poked around before? Or was there some other
        explanation-was there a hacker on the loose?                         
           So  how  do you find a hacker? I figured it was simple: just watch
        for anyone using Sventek's accounts, and try to trace the connection.
        I  spent  Thursday  watching people log in to the computer. I wrote a
        program  to  beep my terminal whenever someone connected. At 12:33 on
        Thursday  afternoon,  Sventek logged in. I felt a rush of adrenaline,
        then  a  complete  letdown when he disappeared within a minute. Where
        was  he?  The  only  pointer  left  for  me was the identifier of his
        terminal:  he  had  used  terminal  port  tt23. I suspected a dial-in
        modem,  connected  ftom some telephone line, but it might conceivably
        be someone at the laboratory.                                        
           By lucky accident, the connection had left some footprints behind.
        Paul Murray, a reclusive hardware technician who hides in thickets of
        telephone  wire,  had  been  collecting statistics on how many people
        used  our  communications  switchyard.  By chance he had recorded the
        port numbers of each connection for the past month. Since I knew when
        Sventek  was  active  on port tt23, we could figure out where he came
        from.  The printout of the statistics showed a one-minute, 1,200-bit-
        per-second connection had taken place at 12:33.                      
           Any lab employee here on the hill would run at high speed-9,600 or
        19,200  bps.  Only someone calling through a modem would let his data
        dribble  out  a 1,200-bps soda straw. But how to catch him? About the
        only  place  to  watch our incoming traffic was in between the modems
        and  the  computers.  Our  modem lines were flat, 25-conductor wires,
        snaking  underneath  the  switchyard's  false  floor.  A  printer  or
        personal  computer  could  be  wired  in  parallel with each of these
        lines, recording every keystroke that came through.                  
           A kludge? Yes. Workable? Maybe.                                   
           All we'd need were 50 teletypes, printers, and portable computers.
        I  rounded  them  up;  strewn  with four dozen obsolete teletypes and
        portable  terminals,  the  floor  looked  like  a computer engineer's
        nightmare. I slept in the middle, nursing the printers and computers.
        Each  was  grabbing  data from a different line, and whenever someone
        dialed  our system, I'd wake up to the chatter of their typing. Every
        half-hour, a printer would run out of paper or a computer out of disk
        space,  so  I'd  have  to  roll  over and reload. Saturday morning, a
        coworker shook me awake. "Well, where's your hacker? "               
           The first 49 printers and monitors showed nothing interesting. But
        from  the 50th trailed 80 feet of printout. During the night, someone
        had sneaked in through a hole in the operating system.               
           For  three  hours a hacker had strolled through my system, reading
        whatever  he  wished.  Unknown  to  him,  my  DECwriter had saved his
        session  on  singlespaced  computer  paper. Here was every command he
        issued, every typing mistake, and every response from the computer.  
           This  printer  monitored  the  line  from Tymnet, a communications
        company  that  interconnected  computers around the world. Our hacker
        might be anywhere.                                                   
           How the Cuckoo Laid Its Egg.                                      
           The hacker had become a super-user. He was like a cuckoo bird. The
        cuckoo  is  a  nesting  parasite  that  lays her eggs in other birds'
        nests:  some  other bird will raise her young. The survival of cuckoo
        chicks depends on the ignorance of other species.                    
         Our  mysterious  visitor  had laid an egg-program into our computer,
        letting the system hatch it and feed it privileges.                  
           That morning, the hacker wrote a short program to grab privileges.
        Normally,  Unix  won't  allow  such  a program to run, since it never
        gives  privileges  beyond  what a user is assigned. But if our hacker
        ran  this  program from a privileged account, he'd become privileged.
        His  problem was to masquerade this special program-the cuckoo's egg-
        so that it would be hatched by the system.                           
           Every  five  minutes,  the  Unix  system  executes its own program
        called  atrun.  In  turn, atnin schedules other jobs and does routine
        housecleaning  tasks.  It  runs  in  a privileged mode, with the full
        power  and  trust of the operating system behind it. If a bogus atrun
        program  were  substituted, it would be executed within five minutes,
        with  full  system  privileges.  For  this  reason,  atrun  sits in a
        protected  area  of the system, available only to the system manager.
        Nobody else has license to tamper with atrun.                        
           Here was the cuckoo's nest: for five minutes he would swap his egg
        for  the system's atrun program. For this attack, he needed to find a
        way  to  move  his  egg-program  into the protected systems nest. The
        operating  system's  barriers are built specifically to prevent this.
        But there was a wildcard that we'd never noticed.                    
           We used a powerful editing program called GnuEmacs. But Gnu's much
        more  than  just  a  text  editor-it's  a foundation upon which other
        programs  can  be  built. It even has its own mail facility built in.
        just one problem: there's a bug in that software.                    
           Because of the way it was installed on our Unix computer, the Gnu-
        Emacs  editor lets you forward a mail file from your own directory to
        anyone  else's.  It  doesn't check to see who's receiving it, or even
        whether  they want the file. No problem to send a file from your area
        to  mine.  But  you'd  better  not  be  able  to move a file into the
        protected systems area: only the systems manager is allowed there.   
           Gnu didn't check. It let anyone move a file into protected systems
        space.  The  hacker  knew  this;  we  didn't. He used Gnu to swap his
        special  atrun file for the system's legitimate version. Five minutes
        later,  the  system  hatched  his  egg,  and  he  held the keys to my
        computer.                                                            
           In  front  of  me,  the  first few feet of the printout showed the
        cuckoo  preparing  the  nest,  laying  the egg, and waiting for it to
        hatch.  The  next  70  feet  showed  the fledgling cuckoo testing its
        wings.                                                               
           As  a  super-user,  he  had  the  run of our system and could read
        anybody's  work.  By  studying  several scientists' command files and
        scripts,  he  discovered  pathways  into  other  lab computers. Every
        night,  our  computer automatically calls 20 others, to exchange mail
        and  network  news.  When  the  hacker  read  these phone numbers, he
        learned 20 new targets.                                              
           I  had  to  weave a net fine enough to catch the hacker but coarse
        enough  to  let our scientists through. I'd have to detect the hacker
        as  soon as he came online and call Tymnet's technicians to trace the
        call.                                                                
           If  I  knew  the stolen account names, it would be easy to write a
        program that watched for the bad guy to show up. No need to check out
        every  person  using  the  computer;  just  ring a bell when a stolen
        account  was  in use. But I also had to stay invisible to the hacker,
        so I wrote the program for a new Unix-8 system we had just installed.
        I  could  connect it to our local area network, secure it against all
        possible attacks, and let it watch the other computers, all the while
        recording the traffic on printers.                                   
           Wednesday  afternoon,  September 3, 1986, marked a week since we'd
        first  detected  the  hacker.  Suddenly,  the  terminal beeped twice:
        Sventek's account was active. I ran to the switchyard; the top of the
        ream  of  paper  showed that the hacker had logged in at 2:26 and was
        still active.                                                        
           Logged  in  as  Sventek,  he  first  listed  the names of everyone
        connected.  Lucky-there  was  nobody but the usual gang of physicists
        and  astronomers;  my  watchdog program was well concealed within the
        Unix-8 computer.                                                     
           He  didn't  become  a super-user; rather, he checked that the Gnu-
        Emacs  file  hadn't  been modified. At 2:37, 11 minutes after logging
        in, he abruptly logged off. But not before we'd started the trace.   
           Ron  Vivier  traces  Tymnet's  network  within North America 'In a
        couple of minutes he had traced the connection from LBL's Tymnet port
        into an Oakland Tymnet office, where someone had dialed in.          
           It's  easier  to  call  straight  into our Berkeley lab than to go
        through  Oakland's  Tymnet  office.  Calling  the local Tymnet access
        number  instead  of  our  lab was like taking the interstate to drive
        three blocks. But calling via Tymnet added one more layer to trace.  
         Whoever was at the other end of the line knew how to hide.          
           The  morning  after  we  had  watched  the  hacker break in to our
        system, my boss met with Aletha Owens, the lab's attorney. She wasted
        no time in calling the FBI.                                          
           Our  local  FBI  office  didn't  raise  an  eyebrow. Fred Wyniken,
        special  agent  with the Oakland resident agency, asked incredulously
        "You're  calling  us because you've lost 75 cents in computer time? "
        Owens  tried  explaining  information  security  and the value of our
        data.  Wyniken  interrupted,  "Look, if you can demonstrate a loss of
        more  than  a  million  dollars,  or  that  someone's  prying through
        classified  data, then we'll open an investigation. Until then, leave
        us alone."                                                           
           Wednesday,  September 10, at 7:51 a.m., the hacker appeared in our
        system for six minutes. I wasn't at the lab to watch, but the printer
        saved  three  pages  of  his trail. He logged in to our computer from
        Tymnet  as Sventek, then jumped into another network. Using Milnet, a
        network  that  links  military  computers,  he  connected  to address
        26.0.0.113.  He  logged  in  there as Hunter, checked that they had a
        copy of Gnu-Emacs, and disappeared.                                  
           The hacker left an indelible trail downstream to the Redstone Army
        Depot  in  Anniston, Alabama, the home of the army's Redstone missile
        complex2,000  miles  from  Berkeley.  He listed files at the Anniston
        system.  judging  from  the  dates  of  these  files,  he'd  been  in
        Anniston's   computers   since   early  June.  For  four  months,  an
        illegitimate system manager had been using an army computer. Yet he'd
        been  discovered  by  accident,  not  through some logic bomb or lost
        information.                                                         
           Looking  closely  at  the  morning's  printout, I saw that, on the
        Anniston  computer,  the  hacker  had  changed  Hunter's  password to
        Hedges.  A  clue  at  last:  of  zillions of possible passwords, he'd
        chosen Hedges. Hedges Hunter? Hunter Hedges? A hedge hunter?         
           Time  was  running out; if I didn't catch the hacker soon, the lab
        would  shut  down  my tracking operation and put me on other work. At
        2:30  in  the  afternoon,  the printer advanced a page and the hacker
        logged in with a new stolen account, Goran. A minute after the hacker
        connected,  I  called  the  phone company and Ron Vivier at Tymnet. I
        took  notes  as  Ron  mumbled.  "He's  coming  into  your port 14 and
        entering Tymnet from Oakland. It's our port 322, which is, uh, let me
        see  here."  I could hear him tapping his keyboard. "Yeah, it's 2902.
        430-2902. That's the number to trace.'                               
           The  phone  company, by law, couldn't reveal information about the
        trace to me, but my printers showed his every move. While I talked to
        Tymnet  and  the  telephone  techs, the hacker had prowled through my
        computer.  He  wasn't satisfied reading the system manager's mail; he
        also snooped through mail for several nuclear physicists.            
           After  15 minutes of reading our mail, he jumped back into Goran's
        stolen  account,  using  a new password, Benson. He started a program
        that searched our users' files for passwords; while that executed, he
        called  up  the  Milnet  Network  Information  Center and asked for a
        pathway into the CIA.                                                
           Instead of their computer, though, he found four people who worked
        at the CIA. Later, I phoned one of them.                             
           I  didn't  know where to begin. How do you introduce yourself to a
        spy?                                                                 
           "Uh, you don't know me, but I'm a computer manager, and we've been
        following a computer hacker."                                        
           "Uh-huh."  "Well, he searched for a pathway to try to get into the
        CIA's computers. He found your name and phone number."               
           "Who  are you? " Nervously, I told him, expecting him to send over
        a gang of hit men in trench coats. I described our laboratory, making
        sure he understood that the People's Republic of Berkeley didn't have
        official  diplomatic  relations with his organization. He sent over a
        delegation  several days later. OK, so they didn't wear trench coats.
        Not  even  sunglasses. just boring suits and ties. Wayne saw the four
        of  them walk up the drive and flashed a message to my terminal: "All
        hands on deck. Sales reps approach through starboard portal. Charcoal
        gray  suits.  Set  warp  speed  to avoid IBM sales pitch." If only he
        knew.                                                                
           The four spooks introduced themselves. One guy in his fifties said
        he  was  there  as a "navigator" and didn't give his name-he just sat
        there  quietly the whole time. The second spy, Greg Fennel, I guessed
        to  be  a computer jockey, because he seemed uncomfortable in a suit.
        The  third  agent,  Teejay, was built like a halfback. The fourth guy
        must have been the bigwig: everyone shut up when he talked. Together,
        they looked more like bureaucrats than spies.                        
           The  four  of  them  sat quietly while we gave them an overview of
        what  we'd  seen.  Mr.  Big  nodded  and asked, "What keywords has he
        scanned for? "                                                       
           "He  looks  for  words like password, nuclear, SDI, and Norad He's
        picked  some  curious  passwords: lblhack hedges, jaeger, hunter, and
        benson.  The  accounts  he  stole, Goran, Sventek, Whitberg, and Mark
        don't  say  much  about him, because the names are people here at the
        laboratory."                                                         
           Mr. Big nodded and asked, "Tell me, what did he do at Anniston? " 
           "I  don't  have  much  of a printout there, " I said. "He was into
        their  system  for  several  months,  perhaps as long as a year. Now,
        since he knows they've detected him, he logs in only for a moment."  
           Mr.  Big  fidgeted  a  bit,  meaning that the meeting was about to
        break  up.  Greg  asked  one  more  question.  "What  machines has he
        attacked? "                                                          
           "Ours, of course, and the army base in Anniston. He's tried to get
        into White Sands Missile Range, and some navy shipyard in Maryland. I
        think   it's   called   Dockmaster."   "Shit]   "   Greg  and  Teejay
        simultaneously  exclaimed.  Greg  said,  "How  do  you  know  he  hit
        Dockmaster? "                                                        
           "About the same time he screwed up our accounting, this Dockmaster
        place  sent  us  a  message saying that someone had tried to break in
        there.".                                                             
           "Did  he  succeed?  "  "I  don't think so. What is this Dockmaster
        place, anyway? Aren't they some navy shipyard? "                     
           They   whispered  among  themselves,  and  Mr.  Big  nodded.  Greg
        explained:  "Dockmaster  isn't  a  navy  shipyard.  It's  run  by the
        National Security Agency."                                           
           A  hacker  breaking into the NSA? Bizarre. This wanted to get into
        the CIA, the NSA, army missile bases, and the North                  
           American  Air  Defense  headquarters.  "Dockmaster  is  NSA's only
        unclassified computer, " Greg said.                                  
         "It belongs to its computer security group, which is actually public
        ."  Mr. Big started talking slowly. "There's not much we can do about
        this affair. I think there's no evidence of foreign espionage."      
           "Well, who should be working on this case? " I asked.             
           "The  FBI.  I'm  sorry,  but  this isn't our bailiwick. Our entire
        involvement  has  been  the  exposure  of  four  names-names that are
        already in the public domain, I might add."                          
           Then they were gone.                                              
           The  spooks were no help, so I was on my own again. I searched the
        Berkeley phone book for Jaegers and Bensons; I figured I ought to try
        Stanford as well. So I stopped by the library. Maggie Morley, our 45-
        year-old  documentmeister, plays rough-and-tumble Scrabble: posted on
        her door is a list of all legal three-letter Scrabble words.         
           "I need a Stanford telephone book, " I I'm looking for everyone in
        Silicon Valley named Jaeger or Benson."                              
           'Jaeger. A word that's been kind to me, " Maggie smiled. "Worth 16
        points,  but  I  once  won  a  game with it, when the \J\ landed on a
        triple-letter score. Turned into 75 points."                         
           "Yeah,  but  I  need it because it's the hacker's password. Hey, I
        didn't know names were legal in Scrabble."                           
           "Jaeger's not a name. Well, maybe it's a nameEllsworth jaeger, the
        famous  omithologist,  for instance-but it's a type of bird. Gets its
        name from the German word meaning hunter."                           
           "Huh? Did you say hunter? "                                       
           "Yes.  Jaegers are hunting birds that badger other birds with full
        beaks. They harass weaker birds until they drop their prey."         
           "Hot  ziggity]  You  answered  my question. I don't need the phone
        book." "Well, what else I can do for you? "                          
           "How  about  explaining the relationship between the words hedges,
        jaeger, hunter, and benson? "                                        
           "Well,  jaeger  and  hunter is obvious to anyone who knows German.
        And smokers know Benson & Hedges."                                   
           Omigod-my  hacker  smokes  Benson  &  Hedges.  Maggie had won on a
        triple-word score.                                                   
           During  one of the phone traces, I had copied down all the numbers
        and  digits I heard from the technician. I called all combinations of
        them  and ended up at a computer modem at Mitre, a defense contractor
        just  down  the  road  from CIA headquarters in McLean, Virginia. How
        deeply  was  Mitre's system infested? By listing its directory, I saw
        that  the hacker had created a Trojan horse there on June 17. For six
        months, someone had silently booby-trapped Mitre's computers.        
           In  alllikelihood, Mitre served as a way station, a stepping-stone
        on  the  way  to  breaking  into other computers. Someone dialed into
        Mitre,  turned  around,  and dialed out from it. This way, Mitre paid
        the  bills both ways: the incoming Tymnet connection and the outgoing
        long-distance phone call. Even nicer, Mitre served as a hiding place,
        a hole in the wall that couldn't be traced.                          
           Monday  morning,  I  called a man named Bill Chandler at Mitre and
        told  him  the  news. Bill wanted me to be quiet about the problems I
        had found. Well, yes, but I had a price.                             
           "Say,  Bill,  could  you  send  me copies of your computer's phone
        bills?  " "What for? " "It might be fun to see where else this hacker
        got  into."  Two  weeks later, a thick envelope arrived, stuffed with
        long-distance  bills from Chesapeake and Potomac. Six months of phone
        bills.  Dates,  times,  phone  numbers, and cities. Probably 5,000 in
        all.  So  many  that  I  couldn't  analyze  them by hand. Perfect for
        analyzing on a computer-there's plenty of software designed to search
        out  correlations.  All  I had to do was enter them into my Macintosh
        computer and run a few programs.                                     
           Ever  type 5,000 phone numbers? It's as boring as it sounds. And I
        had  to do it twice, to make sure I didn't make any mistakes. Took me
        two days.                                                            
           After  running  an  analysis, I found that this hacker hadn't just
        broken  into  my  computer. He was into more than six, and possibly a
        dozen.                                                               
           From  Mitre,  the hacker had made long connections to Norfolk, Oak
        Ridge, Omaha, San Diego, Pasadena, Livermore, and Atlanta.           
           At  least as interesting: he had made hundreds of one-minute phone
        calls, all across the country.                                       
         To  air  force bases, navy shipyards, aircraft builders, and defense
        contractors.  What  can  you  learn from a oneminute phone call to an
        army proving ground?                                                 
           For  six  months,  this  hacker  had  been breaking into bases and
        computers  all  across the country. Nobody knew it. He was out there,
        alone,  silent,  anonymous, persistent, and apparently successful-but
        why?  What was he after? What had he already learned? And what was he
        doing with this information? Friday, December 5, the hacker showed up
        again at 1:21 in the afternoon. Nine minutes later, he disappeared.  
           Enough  time  for  me  to  trace the connection to Tymnet. But the
        network's sorcerer, Ron Vivier, was taking a long lunch that day, so 
           Tymnet couldn't make the trace. Another chance lost.              
           Ron returned my call an hour later.                               
           "Hey, Cliff, how come you never call me at night? "               
           "Guess  the  hacker  doesn't  show  up at night. I wonder why." He
        started  me  thinking.  My logbook recorded every time the hacker had
        shown up. On the average, when was he active?                        
           I'd  remembered  him  on  at  6  a.m.  and  at 7 p.m. But never at
        midnight. Isn't midnight operation the very image of a hacker?       
           On  the  average,  the  hacker showed up at noon, Pacific time. So
        what did this mean? Suppose he lives in California. Then he's hacking
        during  the day. If he's on the East Coast, he's three hours ahead of
        us, so he works around 3 or 4 in the afternoon.                      
           This  didn't  make  sense.  He'd  work  at  night to save on long-
        distance  telephone  fees.  To avoid network congestion. And to avoid
        detection. Yet he brazenly breaks in during the day. Why?            
           When  it's  noon  in  California, I wondered, where is it evening?
        Lunchtime  in  Berkeley  is  bedtime in Europe. Was the hacker coming
        from Europe?                                                         
           On  a  Saturday afternoon, the hacker hit again. I called Tymnet's
        Ron Vivier at home.                                                  
           "I've got a live one for you, " I gasped. "Just trace my port 14."
        "Right.  It'll  take a minute." A couple of eons passed, and Ron came
        back  on  the  line.  "Hey, Cliff, are you certain that it's the same
        guy?, ".                                                             
           I  watched  the  hacker searching for the word \DI on our computer
        "Yes, it's him."                                                     
           "He's  coming  in  from  a  gateway  that I've never heard of. I'm
        locked onto his network address, so it doesn't matter if he hangs up.
        But the guy's coming from somewhere strange."                        
           "Where's that? "                                                  
           "I don't know. It's Tymnet node 3513, which is a strange one. I'll
        have  to  look  it  up  in  our  directory." In the background, Ron's
        keyboard clicked. "Here it is.                                       
         Your  hacker is coming from outside the Tymnet system. He's entering
        Tymnet  from  a  communications  line  operated  by the International
        Telephone and Telegraph company."                                    
           "So what? "                                                       
           "ITT  takes  a  Westar downlink, the communications satellite over
        the Atlantic. It handles ten or twenty thousand phone calls at once."
           "So my hacker is coming from Europe? "                            
           "For sure."                                                       
           "Where? "                                                         
           "That's  the part I don't know, and I probably can't find out. But
        hold on, and I'll see what's there." More keyboard clicks.           
           Ron came back to the phone. "Well, ITT identifies the line as DSEA
        744031.  That's  their  line  number. It can connect to either Spain,
        France, Germany, or Britain.".                                       
           "Well,  which is it? " "Sorry, I don't know. In three days they'll
        send  us  billing  information,  and then I can find out. Meantime, I
        can't tell you much more than that." Ron rang off, but the hacker was
        still  on  my computer, trying to chisel into the Navy Research Labs,
        when  one of Tymnet's international specialists, Steve White, called.
        "Ron can't trace any farther, " Steve said. "I'll do the trace myself
        "  I  kept  watching the hacker on my screen, hoping that he wouldn't
        hang up while Steve made the trace.                                  
           Steve  came  back on the line. In his modulated, almost theatrical
        British  accent,  he  said, "Your hacker has the calling address DNIC
        dash 2624 dash 542104214."                                           
           "So where's the hacker coming from? "                             
           "West Germany. The German Datex network."                         
           "What's that? "                                                   
           "It's  their national network to connect computers together. We'll
        have to call the Bundespost to find out more."                       
           "Who's the Bundespost? "                                          
           "They're   the  German  national  postal  office.  The  government
        communications monopoly."                                            
           Steve  seemed  pessimistic  about completing a successful "We know
        where   he  connects  into  the  system.  But  there's  a  couple  of
        possibilities  there.  The  hacker might be at a computer in Germany,
        simply  connected  over the German Datex network. If that's the case,
        then  we've  got him cold, We know his address, the address points to
        his computer, and the computer points to him.".                      
           "It is unlikely. More likely, the hacker is coming into the German
        Datex network through a dial-in modem."                              
           Just  like  Tymnet,  Datex  let  anyone  dial  into its system and
        connect to computers on the network.                                 
         Perfect for businesspeople and scientists. And hackers.             
           "The  real  problem is in German law, " Steve said. "I don't think
        they recognize hacking as a crime."                                  
           "You're  kidding,  of course." "No, " he said. "A lot of countries
        have outdated laws. In Canada, a hacker who broke into a computer was
        convicted of stealing electricity, rather                            
           than  trespassing.  He  was prosecuted only because the connection
        had used a microwatt of power from the computer."                    
           Steve's pessimism was contagious. But his trace jogged my spirits.
        So  what if we couldn't nail the hacker-our circle was closing around
        him.                                                                 
           Germany.  I  remembered  my  librarian  recognizing  the  hacker's
        password.  "Jaeger-it's a German word meaning hunter." The answer had
        been right in front of me, but I'd been blind.                       
           Some  details  were still fuzzy, but I understood how he operated.
        Somewhere in Europe, the hacker called into the German Datex network.
        He  asked for Tymnet, and the Bundespost made the connection. Once he
        reached  the States, he connected to my laboratory and hacked his way
        around Milnet.                                                       
           Mitre  must have been his stopover point. Now I realized why Mitre
        paid  for  a  thousand  one-minutelong  phone calls. The hacker would
        connect  to  Mitre and instruct the system to phone another computer.
        When  it  answered,  he  would  try to log in with a default name and
        password. Usually he failed and went on to another phone number. He'd
        been scanning computers, with Mitre picking up the tab.              
           But he'd left a trail. On Mitre's phone bills.                    
           The  path  led  back  to  Germany,  but  it  might  not end there.
        Conceivably,  someone in Berkeley could have called Berlin, connected
        to  the  Datex  network,  connected  through Tymnet, and come back to
        Berkeley.  Maybe  the start of the path was in Mongolia. Or Moscow. I
        couldn't  tell.  For  the  present,  my  working  hypothesis would be
        Germany.                                                             
           And he scanned for militaly secrets. Could I be following a spy? A
        real spy, working for them-but who's "them"?                         
           Three  months  ago, I'd seen some mouse droppings in my accounting
        files.  Quietly  we'd  watched this mouse sneak through our computer,
        out through a hole, and into the military networks and computers.    
           At  last I knew what this rodent was after. And where he was from.
        I'd been mistaken.                                                   
           This wasn't a mouse. It was a rat.                                
           Curious  whether  other people might have a similar problem with a
        hacker, I spent a few hours one early December day searching bulletin
        boards  on the  Usenet  network for news about  hackers and found one
        note from Toronto. I called the  author on the phone - I didn't trust
        electronic mail. Bob Orr, the manager of the University  of Toronto's
        physics computers, told a familiar story.                            
           "Some  hackers  from  Germany  have  invaded  our system, changing
        programs and damaging our operating system."                         
           "How'd  they get in? " "We collaborate with the Swiss physics lab,
        CERN.  And  a  group  of  German  hackers  called  the Chaos Club has
        thoroughly  walked  through  their  computers.  They  probably  stole
        passwords to our system and linked directly to us."                  
           As  an  aside, Bob mentioned that the Chaos Club might have gotten
        into the US Fermilab computer as well.                               
           "One  guy  uses  the  pseudonym  Hagbard,  " he told me. "Another,
        Pengo. I don't know their real names."                               
           Next I called Stanford and asked one of their system managers, Dan
        Kolkowitz, if he'd heard anything from Germany.                      
           "Come  to  think  of  it,  someone  broke  in  a few months ago. I
        monitored what he did and have a listing of him."                    
           Dan  read the listing over the phone. Some hacker with the nom-de-
        guerre  of  Hagbard  was  sending a file of passwords to some hackers
        named Zombie and Pengo.                                              
           Hagbard and Pengo again. I wrote them in my logbook.              
           One  good  thing  was  happening. One by one, I was making contact
        with other people who were losing sleep and slugging down Maalox over
        the same troubles that obsessed me. It was comforting to learn that I
        wasn't completely alone.                                             
           A  few  days  later,  I received a call telling me that the German
        Bundespost had determined that the hacker came from the University of
        Bremen.  Soon  they  found the account he was using to connect across
        the  Atlantic. They set a trap on that account: the next time someone
        used it, they'd trace the can.                                       
           The  Germans  weren't  sining around. The university would monitor
        the  suspicious  account,  and the Bundespost would keep track of the
        network activity. More and more mouseholes were being watched.       
           Friday,  December  19,  1986,  at  1:38 p.m., the hacker showed up
        again. Stayed around for two hours, fishing on the Milnet. A pleasant
        Friday  afternoon,  trying  to  guess  passwords to the Strategic Air
        Command,  the  European  Milnet  Gateway,  the  West  Point Geography
        Department, and 70 other assorted military computers.                
           I  phoned  Steve  White  at Tymnet. "The hacker's on our computer.
        Tymnet's logical port number 14."                                    
           "OK,  "  Steve said. The usual keyboard clatter in the background.
        Twenty seconds elapsed, and he called"Got it] "                      
           Steve  had  traced a connection from California to Germany in less
        than a minute.                                                       
           "He's  not  coming from Bremen, " he told me. "Today, he's dialing
        into Hannover.".                                                     
           "So  where  is he? In Bremen or Hannover? " "Wolfgang Hoffman, the
        Datex  network  manager  in Germany, doesn't know. For all we know he
        could be in Paris, calling long distance."                           
           Yesterday  it  was  Bremen.  Today  Hannover.  Where would he hide
        tomorrow?  The  hacker,  I  discovered, didn't take holidays; he even
        logged in on New Year's Day. His hacker's celebration was saved on my
        printers. I scribbled notes on the printouts, next to his:           
           WELCOME TO THE ARMY OPTIMIS DATABASE                              
           PLEASE ENTER A WORD OR 'EXIT'.                                    
           / SDI Looking for SDI dope                                        
           THE WORD "SDI" WAS NOT FOUND. But there's none there              
           PLEASE ENTER A WORD OR 'EXIT'.                                    
           / STEALTH Any word on the Stealth bomber?                         
           THE WORD "STEALTH" WAS NOT FOUND. No such luck                    
           PLEASE ENTER A WORD OR 'EXIT'.                                    
           / SAC Strategic Air Command?                                      
           THE WORD "SAC" WAS NOT FOUND. Nope                                
           PLEASE ENTER A WORD OR 'EXIT'.                                    
           / NUCLEAR                                                         
           THANK YOU.                                                        
           I HAVE FOUND 29 DOCUMENT(S) CONTAINING THE PHRASE 'NUCLEAR'.      
           ITEM* MARKS* TITLE                                                
           1 20-lF IG INSPECTIONS (HEADQUARTERS, DEPART                      
           MENT OF THE ARMY).                                                
           2 50A NUCLEAR, CHEMICAL, AND BIOLOGICAL NATION                    
           AL SECURITY AFFAIRS                                               
           3 50B NUCLEAR, CHEMICAL, AND BIOLOGICAL WAR                       
           FARE ARMS CONTROLS                                                
           4 50D NUCLEAR AND CHEMICAL STRATEGY                               
           FORMULATIONS 5 50E NUCLEAR AND CHEMICAL POLITICO-MILITARY         
           AFFAIRS 6 5OF NUCLEAR AND CHEMICAL REQUIREMENTS                   
           7 5OG NUCLEAR AND CHEMICAL CAPABILITIES                           
           8 50H THEATER NUCLEAR FORCE STRUCTURE                             
           DEVELOPMENTS 9 501 NUCLEAR AND CHEMICAL WARFARE BUDGET            
           FORMULATIONS 10 50J NUCLEAR AND CHEMICAL PROGRESS AND STA         
           TISTICAL REPORTS 11 50K ARMY NUCLEAR, CHEMICAL, AND BIOLOGICAL    
           DEFENSE PROGRAM 12 50M NUCLEAR AND CHEMICAL COST ANALYSES         
           13 5ON NUCLEAR, CHEMICAL WARFARE, AND BIOLOGI                     
           CAL DEFENSE SCIENTIFIC AND TECHNICAL                              
           INFORMATION 14 50P NUCLEAR COMMAND AND CONTROL                    
           COMMUNICATIONS                                                    
           15 50Q CHEMICAL AND NUCLEAR DEMILITARIZATIONS                     
           16 5OR CHEMICAL AND NUCLEAR PLANS                                 
           17 50-5A NUCLEAR ACCIDENT/INCIDENT CONTROLS                       
           18 50-5B NUCLEAR MANPOWER ALLOCATIONS                             
           19 50-5C NUCLEAR SURETY FILES                                     
           20 50-5D NUCLEAR SITE RESTORATIONS                                
           21 50,5-lA NUCLEAR SITE UPGRADING FILES                           
           22 50-115A NUCLEAR SAFETY FILES                                   
           23 55-355FRTD DOMESTIC SHIPMENT CONTROLS                          
           24 200-IC HAZARDOUS MATERIAL MANAGEMENT FILES.                    
           25 385-11K RADIATION INCIDENT CASES                               
           26 385-11M RADIOACTIVE MATERIAL LICENSING                         
           27 385-40C RADIATION INCIDENT CASES                               
           28 700-65A INTERNATIONAL NUCLEAR LOGISTICS FILES                  
           29 1125-2-300A PLANT DATA                                         
           And  he  wasn't  satisfied  with  the titles to these documents-he
        dumped  all 29 over the line printer. Page after page was filled with
        army  doubletalk.  At one point, my printer jammed. The old DECwriter
        had paid its dues for the past ten years and now needed an adjustment
        with  a  sledgehammer.  Damn.  Right  where the hacker had listed the
        army's plans for nuclear bombs in the central European theater, there
        was only an ink blot.                                                
           Around  noon on Sunday, January 4, my beeper sounded. I jumped for
        the  computer,  checked that the hacker was around, then called Steve
        White. Within a minute, he'd started the trace.                      
           The  hacker  tried  the Air Force Systems Command, Space Division,
        and  managed  to log in as Field Service: not as an ordinary user but
        as one                                                               
           with a completely privileged account.                             
           His first command was to show what privileges he'd                
           garnered.  The  air force computer responded automatically: System
        Privilege, and a slew of other rights, including the ability to read,
        write, or erase any file on the system.                              
           He  was  even  authorized  to run security audits on the air force
        computer. I could imagine him sitting behind his terminal in Germany,
        staring  in  disbelief at the screen. He didn't just have free run of
        the Space Command's computer; he controlled it.                      
           Confident that he was undetected, he probed nearby computers. In a
        moment,  he'd  discovered four on the air force network and a pathway
        to connect to others. From his high ground, none of these were hidden
        from  him;  if their passwords weren't guessable, he could steal them
        by setting up Trojan horses.                                         
           This  wasn't  a little desktop computer he'd broken into. He found
        thousands of files on the system, and hundreds of users.             
           He  commanded  the air force computer to list the names of all its
        files;  it  went  merrily  along typing out names like "Laser-design-
        plans"  and  "Shuttlelaunch-manifest." But he didn't know how to shut
        off  the  spigot.  For  two hours, it poured a Niagara of information
        onto his terminal.                                                   
           Finally, at 2:30, he hung up. While the hacker stepped through the
        air  force computer, Steve White traced Tymnet's lines. I asked Steve
        for the details.                                                     
           "I  checked  with Wolfgang Hoffman at the Bundespost. Your visitor
        is coming from Karlsruhe today. The University of Karlsruhe.".       
           My hacker was moving around. Or maybe he was staying in one place,
        playing  a  shell  game  with  the telephone system. Perhaps he was a
        student,  visiting different campuses and showing off to his friends.
        Was  I  certain  that  there  was  only  one hacker-or was I watching
        several people?                                                      
           Two  days  later,  the  hacker was back. He went straight over thc
        Milnet to the Air Force Space Division. I watched him log in as Field
        Service.                                                             
           He  didn't  waste  a minute. He went straight to the authorization
        software,  searched  for  an  old,  unused  account, and modified it,
        giving it system privileges and a new password: AFHACK.              
           AFHACK-what arrogance. He's thumbing his nose at the United States
        Air Force.                                                           
           From  now  on, he didn't need the field service account. Disguised
        as  an officer in the air force, he had unlimited access to the Space
        Division's computer.                                                 
           A  call  to  Steve  White  started  a  trace  rolling. Within five
        minutes,  he'd  traced  the  connection  to  Hannover  and called the
        Bundespost.                                                          
           A few minutes of silence then: "Cliff does the con                
           nection look like it will be                                      
           a long one? "                                                     
           "I can't tell, but I think so, " I said.                          
           "OK."  Steve  was  on  another  telephone;  I  could  hear only an
        occasional shout.                                                    
           In  a  minute, Steve returned to my fine. "Wolfgang is tracing the
        call in Hannover. It's a local call. They're going to try to trace it
        all the way."                                                        
           Here's  news]  A  local call in Hannover meant that the hacker was
        somewhere in Hannover.                                               
           Steve  shouted instructions from Wolfgang: "Whatever you do, don't
        disconnect the hacker. Keep him on the line if you can] "            
           But  he's rifling files at the air force base. It was like letting
        a burglar rob your home while you watched.                           
           He  went  for  operational  plans.  Documents describing air force
        payloads for the space shuttle. Test results from satellite detection
        systems.  SDI  research  proposals.  A  description  of an astronaut-
        operated camera system.                                              
           Tymnet came back on the I'm sorry, Cliff, but the trace in Germany
        is stymied."                                                         
           "Can't  they trace the call? " "Well, the hacker's line comes from
        Hannover,  all  right,  "  Steve replied. "But Hannover's phone fines
        connect  through  mechanical  switches-noisy, complicated widgets-and
        these can be traced only by people, not by computers."               
           Another  opportunity  lost.  I  cut off the hacker's connection so
        that he couldn't do more harm.                                       
           Later, Steve White explained that American telephones are computer
        controlled,  so  it's  pretty easy to trace them. But in Germany they
        need someone at the Hannover exchange to trace the call.             
           "So  we  can't trace him unless the hacker calls during the day or
        evening? " I asked.                                                  
           "Worse than that. It'll take an hour or two to make the trace once
        it's started."                                                       
           Lately, the hacker had been showing up for five minutes at a time.
        Long  enough  to  wake me up, but hardly enough for a two-hour trace.
        How could I keep him on for a couple of hours?                       
           The  answer,  I  realized,  was disarmingly simplegive him what he
        wants:  all  the  classified  data, all the top-secret information he
        could  gather.  Not  for real, of course. Instead, I'd create a phony
        database.  Its  documents  would describe a new Star Wars project. An
        outsider   reading   them   would   believe  that  Lawrence  Berkeley
        Laboratories  had  just  landed a fat government contract to manage a
        new computer network. The SDI Network.                               
           This bogus network, which would apparently link together scores of
        classified  computers,  would  extend  to  military  bases around the
        world.  By  reading  the  files, you'd find lieutenants and colonels,
        scientists  and  engineers.  Here  and  there,  I would drop hints of
        meetings and classified reports.                                     
           And  I  invented  Barbara  Sherwin,  the sweet, bumbling secretary
        trying  to  figure  out  her new word processor and keep track of the
        endless stream of documents produced by our newly invented "Strategic
        Defense Initiative Network Office.".                                 
           My  snare  was  baited.  If the hacker bit, he'd take two hours to
        swallow the bait. Long enough for the Germans to track him down.     
           The next move was the hacker's.                                   
           My  beeper  sounded  at 5:14 p.m., Friday, January 16. There's the
        hacker.  It  didn't  take  him very long to swallow the hook; soon he
        broke  into  my  phony  SDInet.  Quickly, I got on the phone to Steve
        White.                                                               
           "Steve, call Germany. The hacker's on, and it'll be a long session
        ."  "Spot-on,  Cliff.  Call you back in ten minutes." For the next 45
        minutes,  the  hacker  dumped  out  file  after file, reading all the
        garbage  that  I had created. Boring, tedious ore, with an occasional
        nugget of technical information.                                     
           Then he dumped the file named FORM LETTER:                        
           DEAR SIR:                                                         
           THANK  YOU  FOR  YOUR INQUIRY ABOUT SDINET. WE ARE HAPPY TO COMPLY
        WITH  YOUR  REQUEST  FOR  MORE  INFORMATION  ABOUT  THIS NETWORK. THE
        FOLLOWING  DOCUMENTS  ARE  AVAILABLE  FROM  THIS OFFICE. PLEASE STATE
        WHICH DOCUMENTS YOU WISH MAILED TO YOU:                              
           #37.6 SDINET OVERVIEW DESCRIPTION DOCUMENT                        
           19 PAGES, REVISED SEPT. 1985                                      
           #41.7 STRATEGIC DEFENSE INITIATIVE AND COMPUTER NETWORKS:         
           PLANS  AND  IMPLEMENTATIONS  (CONFERENCE NOTES) 227 PAGES, REVISED
        SEPT. 1985.                                                          
           #45.2 STRATEGIC DEFENSE INITIATIVE AND COMPUTER NETWORKS:         
           PLANS AND IMPLEMENTATIONS (CONFERENCE NOTES) 300 PAGES, JUNE 1986 
           #47.3 SDINET CONNECTIVITY REQUIREMENTS                            
           65 PAGES, REVISED APRIL 1986                                      
           #48.8 How TO LINK INTO THE SDINET                                 
           25 PAGES, JULY 1986                                               
           #49.1 X.25 AND X.75 CONNECTIONS TO SDINET (INCLUDES JAPA          
           NESE,  EUROPEAN,  AND HAWAIIAN NODES) 8 PAGES, DECEMBER 1986 #55.2
        SDINET MANAGEMENT PLAN FOR 1986 TO 1988                              
           47 PAGES, NOVEMBER 1985                                           
           #62.7 UNCLASSIFIED SDINET MEMBERSHIP LIST (INCLUDES MAJOR         
           MILNET CONNECTIONS) 24 PAGES, NOVEMBER 1986                       
           #65.3 CLASSIFIED SDINET MEMBERSHIP LIST                           
           9 PAGES, NOVEMBER 1986                                            
           #69.1 DEVELOPMENTS IN SDINET AND SDI DISNET                       
           28 PAGES, OCTOBER 1986                                            
           SINCERELY YOURS,                                                  
           MRS. BARBARA SHERWIN                                              
           DOCUMENTS SECRETARY                                               
           SDINET PROJECT                                                    
           Steve  White called back from Tymnet. "I've traced your connection
        over  to  the University of Bremen. And the Bundespost has traced the
        Datex  line  from  Bremen  into  Hannover. In the past half hour, the
        technician  traced  the  line  and  has narrowed it down to one of 50
        telephone numbers.".                                                 
           "Why can't they get the actual number? " "Wolfgang's unclear about
        that. It sounds like they've determined the number to be from a group
        of local phones, but the next time they make a trace, they'll zero in
        on  the  actual  telephone.  From  tile  sound of Wolfgang's message,
        they're excited about solving this case."                            
           The  next  day, at 10:17 a.m., the hacker came back. This time, he
        wasn't interested in SDI files. Instead, he went out over the Milnet,
        trying to break into military computers.                             
           He  was  concentrating  on air force and army computers, though he
        occasionally  knocked  on  the  navy's door as well. Places I'd never
        heard  of,  like  the Air Force Weapons Lab, Descom headquarters, Air
        Force CC OIS, and the CCA-amc. Fifty places, all without success.    
           Then  he  slid across the Milnet into a computer named Buckner. He
        got  right  in . . . didn't even need a password on the account named
        "guest."                                                             
           He'd  broken  into  the Army Communications Center in Building 23,
        Room 121, of Fort Buckner. Fort Buckner was in Okinawa.              
           What  a  connection]  From Hannover, Germany, the hacker linked to
        the  University  of Bremen, across a transatlantic cable into Tymnet,
        then into my Berkeley computer, and into the Milnet, finally reaching
        Okinawa.                                                             
           A  bit  after  11 in the morning, he finally grew tired and logged
        off.  While he'd circled the globe with his spiderweb of connections,
        the German Bundespost had homed in on him.                           
           The  phone  rang-had  to  be Steve White. "Hi Cliff, " Steve said,
        "The  trace  is complete." "The Germans got the guy? " "They know his
        phone number." "Well, who is he? " I asked.                          
           "They can't say right now, but you're supposed to tell the FBI."  
           "Just  tell  me this much, " I asked Steve. "Is it a computer or a
        person?  " "A person with a computer at his home. Or should I say, at
        his  business."  Days  later, Tymnet passed along a chilling message:
        "This  is  not a benign hacker. It is quite serious. The scope of the
        investigation  is  being  extended.  Thirty people are now working on
        this  case.  Instead of simply breaking into the apartments of one or
        two  people, locksmiths are making keys to the houses of the hackers,
        and  the  arrests  will  be  made when the hackers cannot destroy the
        evidence. These hackers are linked to the shady dealings of a private
        company."                                                            
           Throughout the spring, I kept making new bait. My mythical Barbara
        Sherwin  created  memos  and letters, requisitions and travel orders.
        Here  and  there,  she sprinkled a few technical articles, explaining
        how the SDI network interconnected all sorts of classified computers.
           On  Monday,  April  27,  came  one of the biggest shocks. A letter
        arrived, addressed to the imaginary Barbara Sherwin.                 
           Triam International, Inc.                                         
           6512 Ventura Drive                                                
           Pittsburgh, PA 15236 April 21, 1987                               
           Dear Mrs. Sherwin:                                                
           I am interested in the following documents. Please send me a price
        list  and  an  update  on  SDI  Network  Project.  Thank you for your
        cooperation.                                                         
           Very truly yours,                                                 
           Laszlo J. Balogh                                                  
           Balogh  then  asked  for every phony document I had made up in the
        file called FORM LETTER.                                             
           Someone   had   swallowed   the  bait  and  was  asking  for  more
        information]  I could understand it if the letter came from Hannover.
        But Pittsburgh?                                                      
           I  called  Mike  Gibbons at the Alexandria FBI office and told him
        about it.                                                            
           "OK, " Mike said. "Listen up carefully. Don't touch that letter.  
         Especially,  don't  touch  around  the  edges.  Go  find  a glassine
        envelope.  Gently insert the paper in the envelope. Then express mail
        it to me. Whatever you do, don't handle it. Wear gloves if you must."
           This  sounded  like  Dick Tracy's "Crimestoppers, " but I followed
        orders.                                                              
           A  hacker  in  Hannover,  Germany,  learns a secret from Berkeley,
        California.  Three  months  later,  a  Hungarian  named Laszlo Balogh
        living  in  Pittsburgh  writes  us  a  letter. What's happening here?
        Tuesday moming, June 23, Mike Gibbons called from the FBI.           
           "You  can  close  up  shop,  Cliff."  "What's  happened? " "Arrest
        warrants  were  issued  this  morning  at IO." "Anyone arrested? " "I
        can't say." Something was happening. But Mike wouldn't say what.     
           A  few hours later, Wolfgang Hoffman sent a message: "An apartment
        and  a  company  were  searched,  and  nobody  was  home at the time.
        Printouts,  disks,  and tapes were seized and will be analyzed in the
        next few days. Expect no further break-ins."                         
           Finally,  it was over. The FBI still wasn't talking, but I managed
        to fmd out who the Germans had fingered; I could now attach a name to
        the shadowy hacker I had chased across two continents: Markus Hess.  
           So  what  really  happened?  Was  Hess working alone, or was he in
        league  with  others? And why was he breaking into defense department
        computers?  Here's  my estimate, based on interviews, police reports,
        newspaper accounts, and messages from German computer programmers. In
        the mid-1980s, a dozen hackers started the Chaos Computer Club, whose
        members specialized in creating viruses, breaking into computers, and
        serving  as  a  computer  counterculture. Through electronic bulletin
        boards  and telephone links, they anonymously exchanged phone numbers
        of hacked computers, as well as stolen passwords and credit cards.   
           Markus  Hess  knew  of  the  Chaos  Club,  although he was never a
        central  figure  there.  Rather,  he kept his distance as a freelance
        hacker.  During  thc  day,  he  worked  at  a  small software firm in
        downtown Hannover.                                                   
           Over  a  crackling  phone  connection,  an  astronomer  friend  in
        Hannover  explained  to  me, "You see, Hess knew Hagbard, who kept in
        touch  with other hackers in Germany, Eke Pengo and Frimp. Hagbard is
        a pseudonym, of course, his real name is . . . "                     
           Hagbard.  I'd heard that name before-he'd broken into Fermilab and
        Stanford.                                                            
           Hagbard  worked  closely  with  Markus  Hess.  The two drank beers
        together at Hannover bars and spent evenings behind Hess's computer. 
           Apparently,  Hess  apparently  just  played around the networks at
        first,  searching  for  ways to connect around the world. Like a ham-
        radio  operator,  he  started  out a hobbyist, trying to reach as far
        away  as  possible.  In  the  beginning,  he  managed  to  connect to
        Karlsruhe; later he reached Bremen over the Datex network.           
           Soon  he  discovered that many system managers hadn't locked their
        back  doors. Usually these were university computers, but Markus Hess
        began  to  wonder:  how many other systems were wide open? What other
        ways could you sneak into computers?                                 
           By  September 1985, Hagbard and Pengo were routinely breaking into
        computers  in  North  America: mostly high energy physics labs, but a
        few  NASA sites as well. Excitedly, Hagbard described his exploits to
        Hess.                                                                
           Hess  began  to explore outside of Germany. But he no longer cared
        about  universities  and  physics  laboratories-he  wanted  some real
        excitement.  Hess now targeted the military. The leaders of the Chaos
        Computer Club had issued a warning to their members: "Never penetrate
        a  military  computer.  The security people on the other side will be
        playing  a  game  with  youalmost  like  chess. Remember that they've
        practiced  this  game  for  a  long  time. . . . " Markus Hess wasn't
        listening.                                                           
           Hess  apparently  found  his  way  into  an  unprotected  computer
        belonging  to  a  German subsidiary of U.S. defense contractor Mitre.
        Once  inside that system, he discovered detailed instructions to link
        into   Mitre's  computers  in  Bedford,  Massachusetts,  and  McLean,
        Virginia.  By summer 1986, Hess and Hagbard were operating separately
        but  frequently  comparing notes. Meanwhile, Hess worked in Hannover,
        programming VAX computers and managing several systems.              
           Hess  soon expanded his beachhead at Mitre. He explored the system
        internally, then sent out tentacles into other American computers. He
        collected  telephone  numbers  and network addresses and methodically
        attacked  these  systems.  On  August 20, he struck Lawrence Berkeley
        Labs.                                                                
           Even then, Hess was only fooling around. He'd realized that he was
        privy  to  secrets,  both industrial and national, but kept his mouth
        shut.  Then,  around  the  end  of  September,  in  a  smoky Hannover
        beergarden, he described his latest exploit to Hagbard.              
           Hagbard  smelled money. And Hagbard knew who to contact: Pengo, in
        West Berlin.                                                         
           Pengo,  with  his  contacts to hackers across Germany, knew how to
        use  Hess's information. Carrying Hess's printouts, one of the Berlin
        hackers  crossed  into  East Berlin and met with agents from the East
        German Staatssicherheitsdienst-the Secret Service.                   
           The   deal  was.  made:  around  30,000  deutschemarks-$18,000-for
        printouts and passwords.                                             
           From  there,  who knows what happened to the information? The East
        German  Secret Service cooperates closely with the Soviet KGB; surely
        the Staatssicherheitsdienst would tell the KGB about this new form of
        espionage.                                                           
           The KGB wasn't just paying for printouts, though. Hess and company
        apparently  sold  their  techniques  as  well:  how to break into VAX
        computers;  which networks to use when crossing the Atlantic; details
        on how the Milnet operates.                                          
           Even  more  important to the KGB was obtaining research data about
        Western  technology,  including  integrated circuit design, computer-
        aided  manufacturing, and, especially, operating system software that
        was under U.S. export control. They offered 250,000 deutschemarks for
        copies of Digital Equipment's VMS operating system.                  
           According to the German television station NDR, the Berlin hackers
        supplied  much  of  this  order,  including  source  code to the Unix
        operating  system  designs for high-speed gallium-arsenide integrated
        circuits,  and  computer  programs  used  to engineer computer memory
        chips. Hagbard wanted more than money. He demanded co                
           caine. The East German Secret Service was a willing supplier.     
           Hagbard passed some of the money (but none of the cocaine) to Hess
        in retum for printouts, passwords, and network information. Hagbard's
        cut  went  toward  paying his telephone bill which sometimes ran over
        $1,000  a  month  as he called computers around the world. Hess saved
        everything.  He kept a detailed notebook and saved every session on a
        floppy  disk.  This  way,  after  he  disconnected  from  a  military
        computer,  he  could  print  out the interesting parts and pass these
        along to Hagbard and on to the KGB.                                  
           Also on the KGB's wish list was SDI data. As Hess searched for it,
        I  naturally  detected  SDI showing up in his requests. And I had fed
        Hess plenty of SDI fodder. But could the East Germans (or KGB?) trust
        these  printouts? How could they be sure Hagbard wasn't inventing all
        of this to feed his own coke habit?                                  
           The  KGB  decided  to  verify the German hacker ring. The mythical
        Barbara  Sherwin served as a perfect way to test the validity of this
        new form of espionage. She had, after all, invited people to write to
        her for more information.                                            
           But  secret  services  don't  handle  things  directly.  They  use
        intermediaries.  The  East  Germans  (KGB?) contacted another agency-
        either the Hungarian or Bulgarian intelligence service. They, in tum,
        apparently   had  a  professional  relationship  with  a  contact  in
        Pittsburgh: Laszlo Balogh.                                           
           Does  the  FBI  have enough evidence to indict Laszlo Balogh? They
        won't  tell  me.  But the way I see it, Laszlo's in deep trouble: the
        FBI  is  watching him, and whoever's pulling his puppet strings isn't
        pleased.                                                             
           The  West  German  police, though, have plenty of evidence against
        Markus Hess. Printouts, phone traces, and my logbook. When they broke
        into  his  apartment  on  June 29, 1987, they seized a hundred floppy
        disks,  a computer, and documentation describing the U.S. Milnet. But
        when  the  police  raided Hess's apartment, nobody was home. Though I
        was  waiting  patiently  for him to appear on my computer, the German
        police entered his place when he wasn't connected.                   
           At his first trial, Hess got off on appeal. His lawyer argued that
        since  Hess  wasn't connected at the moment his apartment was raided,
        he might not have done the hacking. This, along with a problem in the
        search  warrants,  was  enough  to  overtum  the case against Hess on
        computer   theft.   But   the  German  federal  police  continued  to
        investigate.                                                         
           On  March  2,  1989,  German  authorities charged five people with
        espionage:  Pengo,  Hagbard,  Peter  Carl, Dirk Bresinsky, and Markus
        Hess.                                                                
           Peter  Carl  met regularly with KGB agents in East Berlin, selling
        any data the others could find.                                      
         When  the  German  officials caught up with him, he was about to run
        off  to  Spain.  He's now in jail, waiting for trial, along with Dirk
        Bresinsky, who was jailed for desertion from the German army.        
           Pengo  is  having  second thoughts about his years working for the
        KGB.  He  says  that  he  hopes he "did the right thing by giving the
        German police detailed information about my involvement." But as long
        as there's an active criminal case, he'll say no more.               
           All  the  same,  the  publicity hasn't helped Pengo's professional
        life  as a computer consultant. His business partners have shied away
        from  backing  him,  and  several of his computing projects have been
        canceled.  Outside of his business losses, I'm not sure that he feels
        there's anything wrong with what he did.                             
           Today,  Markus  Hess  is  walking the streets of Hannover, free on
        bail while awaiting a trial for espionage.                           
           Hagbard,  who  hacked  with  Hess  for  a  year, tried to kick his
        cocaine  habit in late 1988. But not before spending his profits from
        the  KGB:  he  was  deep in debt and without a job. In spring 1989 he
        found  a  job  at  the  office  of  a political party in Hannover. By
        cooperating  with  the  police,  he and Pengo avoided prosecution for
        espionage.                                                           
           Hagbard was last seen alive on May 23, 1989. In an isolated forest
        outside  of Hannover, police found his chaffed bones next to a melted
        can  of gasoline. A borrowed car was parked nearby, keys still in the
        ignition.                                                            
           No suicide note was found.                                        

